svn commit: r202765 - in stable/7/sys: kern sys

John Baldwin jhb at FreeBSD.org
Thu Jan 21 19:17:43 UTC 2010 

Author: jhb
Date: Thu Jan 21 19:17:42 2010
New Revision: 202765
URL: http://svn.freebsd.org/changeset/base/202765

Log:
  MFC 198411:
  - Fix several off-by-one errors when using MAXCOMLEN.  The p_comm[] and
    td_name[] arrays are actually MAXCOMLEN + 1 in size and a few places that
    created shadow copies of these arrays were just using MAXCOMLEN.
  - Prefer using sizeof() of an array type to explicit constants for the
    array length in a few places.
  - Ensure that all of p_comm[] is always zero'd during execve() to guard
    against any possible information leaks.  Previously trailing garbage in
    p_comm[] could be leaked to userland in ktrace record headers.

Modified:
  stable/7/sys/kern/kern_exec.c
  stable/7/sys/kern/kern_ktrace.c
  stable/7/sys/kern/subr_bus.c
  stable/7/sys/kern/subr_taskqueue.c
  stable/7/sys/sys/interrupt.h
Directory Properties:
  stable/7/sys/   (props changed)
  stable/7/sys/cddl/contrib/opensolaris/   (props changed)
  stable/7/sys/contrib/dev/acpica/   (props changed)
  stable/7/sys/contrib/pf/   (props changed)

Modified: stable/7/sys/kern/kern_exec.c
==============================================================================
--- stable/7/sys/kern/kern_exec.c	Thu Jan 21 19:11:18 2010	(r202764)
+++ stable/7/sys/kern/kern_exec.c	Thu Jan 21 19:17:42 2010	(r202765)
@@ -559,9 +559,9 @@ interpret:
 	execsigs(p);
 
 	/* name this process - nameiexec(p, ndp) */
+	bzero(p->p_comm, sizeof(p->p_comm));
 	len = min(ndp->ni_cnd.cn_namelen,MAXCOMLEN);
 	bcopy(ndp->ni_cnd.cn_nameptr, p->p_comm, len);
-	p->p_comm[len] = 0;
 
 	/*
 	 * mark as execed, wakeup the process that vforked (if any) and tell

Modified: stable/7/sys/kern/kern_ktrace.c
==============================================================================
--- stable/7/sys/kern/kern_ktrace.c	Thu Jan 21 19:11:18 2010	(r202764)
+++ stable/7/sys/kern/kern_ktrace.c	Thu Jan 21 19:17:42 2010	(r202765)
@@ -257,6 +257,10 @@ ktrace_resize_pool(u_int newsize)
 	return (ktr_requestpool);
 }
 
+/* ktr_getrequest() assumes that ktr_comm[] is the same size as p_comm[]. */
+CTASSERT(sizeof(((struct ktr_header *)NULL)->ktr_comm) ==
+    (sizeof((struct proc *)NULL)->p_comm));
+
 static struct ktr_request *
 ktr_getrequest(int type)
 {
@@ -284,7 +288,8 @@ ktr_getrequest(int type)
 		microtime(&req->ktr_header.ktr_time);
 		req->ktr_header.ktr_pid = p->p_pid;
 		req->ktr_header.ktr_tid = td->td_tid;
-		bcopy(p->p_comm, req->ktr_header.ktr_comm, MAXCOMLEN + 1);
+		bcopy(p->p_comm, req->ktr_header.ktr_comm,
+		    sizeof(req->ktr_header.ktr_comm));
 		req->ktr_buffer = NULL;
 		req->ktr_header.ktr_len = 0;
 	} else {

Modified: stable/7/sys/kern/subr_bus.c
==============================================================================
--- stable/7/sys/kern/subr_bus.c	Thu Jan 21 19:11:18 2010	(r202764)
+++ stable/7/sys/kern/subr_bus.c	Thu Jan 21 19:17:42 2010	(r202765)
@@ -3597,8 +3597,8 @@ int
 bus_describe_intr(device_t dev, struct resource *irq, void *cookie,
     const char *fmt, ...)
 {
-	char descr[MAXCOMLEN];
 	va_list ap;
+	char descr[MAXCOMLEN + 1];
 
 	if (dev->parent == NULL)
 		return (EINVAL);

Modified: stable/7/sys/kern/subr_taskqueue.c
==============================================================================
--- stable/7/sys/kern/subr_taskqueue.c	Thu Jan 21 19:11:18 2010	(r202764)
+++ stable/7/sys/kern/subr_taskqueue.c	Thu Jan 21 19:17:42 2010	(r202765)
@@ -343,7 +343,7 @@ taskqueue_start_threads(struct taskqueue
 	va_list ap;
 	struct taskqueue *tq;
 	struct thread *td;
-	char ktname[MAXCOMLEN];
+	char ktname[MAXCOMLEN + 1];
 	int i, error;
 
 	if (count <= 0)
@@ -351,7 +351,7 @@ taskqueue_start_threads(struct taskqueue
 	tq = *tqp;
 
 	va_start(ap, name);
-	vsnprintf(ktname, MAXCOMLEN, name, ap);
+	vsnprintf(ktname, sizeof(ktname), name, ap);
 	va_end(ap);
 
 	tq->tq_pproc = malloc(sizeof(struct proc *) * count, M_TASKQUEUE,

Modified: stable/7/sys/sys/interrupt.h
==============================================================================
--- stable/7/sys/sys/interrupt.h	Thu Jan 21 19:11:18 2010	(r202764)
+++ stable/7/sys/sys/interrupt.h	Thu Jan 21 19:17:42 2010	(r202765)
@@ -47,7 +47,7 @@ struct intr_handler {
 	driver_intr_t	*ih_handler;	/* Handler function. */
 	void		*ih_argument;	/* Argument to pass to handler. */
 	int		 ih_flags;
-	char		 ih_name[MAXCOMLEN]; /* Name of handler. */
+	char		 ih_name[MAXCOMLEN + 1]; /* Name of handler. */
 	struct intr_event *ih_event;	/* Event we are connected to. */
 	int		 ih_need;	/* Needs service. */
 	TAILQ_ENTRY(intr_handler) ih_next; /* Next handler for this event. */
@@ -94,8 +94,8 @@ struct intr_handler {
 struct intr_event {
 	TAILQ_ENTRY(intr_event) ie_list;
 	TAILQ_HEAD(, intr_handler) ie_handlers; /* Interrupt handlers. */
-	char		ie_name[MAXCOMLEN]; /* Individual event name. */
-	char		ie_fullname[MAXCOMLEN];
+	char		ie_name[MAXCOMLEN + 1]; /* Individual event name. */
+	char		ie_fullname[MAXCOMLEN + 1];
 	struct mtx	ie_lock;
 	void		*ie_source;	/* Cookie used by MD code. */
 	struct intr_thread *ie_thread;	/* Thread we are connected to. */

More information about the svn-src-all mailing list